QUESTION 213You have been asked to configure a Cisco ASA appliance in multiple mode with these settings:(A) You need two customer contexts, named contextA and contextB.(B) Allocate interfaces G0/0 and G0/1 to contextA.(C) Allocate interfaces G0/0 and G0/2 to contextB.(D) The physical interface name for G0/1 within contextA should be “inside”.(E) All other context interfaces must be viewable via their physical interface names.

A. It defines a mechanism to allow a RADIUS server to initiate a communication inbound to a NAD.B. It defines a wide variety of authorization actions, including “reauthenticate”.C. It defines the format for a Change of Authorization packet.D. It defines a DM.E. It specifies that TCP port 3799 be used for transport of Change of Authorization packets.

A. When using the Cisco ISE solution, the Security Group Tag gets defined as a separate authorization result.B. When using the Cisco ISE solution, the Security Group Tag gets defined as part of a standard authorization profile.C. Security Group Tags are a supported network authorization result using Cisco ACS 5.x.D. Security Group Tags are a supported network authorization result for 802.1X, MAC Authentication Bypass, and WebAuth methods of authentication.E. A Security Group Tag is a variable length string that is returned as an authorization result.

Answer: ACD

QUESTION 220Refer to the exhibit. What is the cause of the issue that is reported in this debug output?

A. The identity of the peer is not acceptable.B. There is an esp transform mismatch.C. There are mismatched ACLs on remote and local peers.D. The SA lifetimes are set to 0.

Answer: C

QUESTION 221Refer to the exhibit, which shows a partial configuration for the EzVPN server. Which three missing ISAKMP profile options are required to support EzVPN using DVTI? (Choose three.)

QUESTION 224In order to implement CGA on a Cisco IOS router for SeND, which three configuration steps are required? (Choose three.)

A. Generate an RSA key pair.B. Define a site-wide pre-shared key.C. Define a hash algorithm that is used to generate the CGA.D. Generate the CGA modifier.E. Assign a CGA link-local or globally unique address to the interface.F. Define an encryption algorithm that is used to generate the CGA.

Answer: ADE

QUESTION 225As defined by Cisco TrustSec, which EAP method is used for Network Device Admission Control authentication?

A. EAP-FASTB. EAP-TLSC. PEAPD. LEAP

Answer: A

QUESTION 226Which three statements about the keying methods used by MACSec are true? (Choose three.)

A. Key management for host-to-switch and switch-to-switch MACSec sessions is provided by MKA.B. A valid mode for SAP is NULL.C. MKA is implemented as an EAPoL packet exchange.D. SAP is enabled by default for Cisco TrustSec in manual configuration mode.E. SAP is not supported on switch SVIs.F. SAP is supported on SPAN destination ports.

Answer: BCE

QUESTION 227What is the function of this command?switch(config-if)# switchport port-security mac-address sticky

A. It allows the switch to restrict the MAC addresses on the switch port, based on the static MAC addresses configured in the startup configuration.B. It allows the administrator to manually configure the secured MAC addresses on the switch port.C. It allows the switch to permanently store the secured MAC addresses in the MAC address table (CAM table).D. It allows the switch to perform sticky learning, in which the dynamically learned MAC addresses are copied from the MAC address table (CAM table) to the startup configuration.E. It allows the switch to dynamically learn the MAC addresses on the switch port, and the MAC addresses will be added to the running configuration.

Answer: E

QUESTION 228When configuring a switchport for port security that will support multiple devices and that has already been configured for 802.1X support, which two commands need to be added? (Choose two.)

A. The 802.1X port configuration must be extended with the command dot1x multiple-host.B. The 802.1X port configuration must be extended with the command dot1x port-security.C. The switchport configuration needs to include the command switchport port-security.D. The switchport configuration needs to include the port-security aging command.E. The 802.1X port configuration needs to remain in port-control force-authorized rather than port- control auto.

Answer: AC

QUESTION 229In Cisco IOS, what is the result of the ip dns spoofing command on DNS queries that are coming from the inside and are destined to DNS servers on the outside?

A. The router will prevent DNS packets without TSIG information from passing through the router.B. The router will act as a proxy to the DNS request and reply to the DNS request with the IP address of the interface that received the DNS query if the outside interface is down.C. The router will take the DNS query and forward it on to the DNS server with its information in place of the client IP.D. The router will block unknown DNS requests on both the inside and outside interfaces.

Answer: B

QUESTION 230The Wi-Fi Alliance defined two certification programs, called WPA and WPA2, which are based on the IEEE 802.11i standard. Which three statements are true about these certifications? (Choose three.)

A. WPA is based on the ratified IEEE 802.11i standard.B. WPA2 is based on the ratified IEEE 802.11i standard.C. WPA enhanced WEP with the introduction of TKIP.D. WPA2 requires the support of AES-CCMP.E. WPA2 supports only 802.1x/EAP authentication.

Answer: BCD

QUESTION 231When you are configuring the COOP feature for GETVPN redundancy, which two steps are required to ensure the proper COOP operations between the key servers? (Choose two.)

A. Generate an exportable RSA key pair on the primary key server and export it to the secondary key server.B. Enable dead peer detection between the primary and secondary key servers.C. Configure HSRP between the primary and secondary key servers.D. Enable IPC between the primary and secondary key servers.E. Enable NTP on both the primary and secondary key servers to ensure that they are synchronized to the same clock source.

Answer: AB

QUESTION 232A Cisco Easy VPN software client is unable to access its local LAN devices once the VPN tunnel is established. What is the best way to solve this issue?

A. The IP address that is assigned by the Cisco Easy VPN Server to the client must be on the same network as the local LAN of the client.B. The Cisco Easy VPN Server should apply split-tunnel-policy excludespecified with a split- tunnel-list containing the local LAN addresses that are relevant to the client.C. The Cisco Easy VPN Server must push down an interface ACL that permits the traffic to the local LAN from the client.D. The Cisco Easy VPN Server should apply a split-tunnel-policy tunnelall policy to the client.E. The Cisco Easy VPN client machine needs to have multiple NICs to support this.

Answer: B

QUESTION 233During the establishment of an Easy VPN tunnel, when is XAUTH performed?

A. at the end of IKEv1 Phase 2B. at the beginning of IKEv1 Phase 1C. at the end of Phase 1 and before Phase 2 starts in IKEv1 and IKEv2D. at the end of Phase 1 and before Phase 2 starts in IKEv1

QUESTION 235A frame relay PVC at router HQ has a CIR of 768 kb/s and the frame relay PVC at router branch office has a CIR of 384 kb/s. Which QoS mechanism can best be used to ease the data congestion and data loss due to the CIR speed mismatch?

A. traffic policing at the HQB. traffic policing at the branch officeC. traffic shaping at the HQD. traffic shaping at the branch officeE. LLQ at the HQF. LLQ at the branch office

Answer: C

QUESTION 236Refer to the exhibit. A customer has an IPsec tunnel that is configured between two remote offices. The customer is seeing these syslog messages on Router B:%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=x, sequence number=yWhat is the most likely cause of this error?A. The customer has an LLQ QoS policy that is configured on the WAN interface of Router A.B. A hacker on the Internet is launching a spoofing attack.C. Router B has an incorrectly configured IP MTU value on the WAN interface.D. There is packet corruption in the network between Router A and Router B.E. Router A and Router B are not synchronized to the same timer source.

Answer: A

QUESTION 237In ISO 27001 ISMS, which three of these certification process phases are required to collect information for ISO 27001? (Choose three.)

A. COBIT and ISO 27002 both define a best practices framework for IT controls.B. COBIT focuses on information system processes, whereas ISO 27002 focuses on the security of the information systems.C. ISO 27002 addresses control objectives, whereas COBIT addresses information security management process requirements.D. Compared to COBIT, ISO 27002 covers a broader area in planning, operations, delivery, support, maintenance, and IT governance.E. Unlike COBIT, ISO 27002 is used mainly by the IT audit community to demonstrate risk mitigation and avoidance mechanisms.

Answer: ABC

QUESTION 239The IETF is a collaborative effort by the international community of Internet professionals to improve the design, use, and management of the Internet. Which international organization charters the activity of IETF?